Overview

A key approach to ensuring secure partner and vendor access is to use the Okta Realms feature. Realms enable efficient management of user populations within a single organization. With realms, you can partition users in the Universal Directory while allowing them to share Applications and assign entitlements based on common policies. Realms let you delegate the administration of users and groups to external collaborators or business units. Authentication Policies and Access Certification campaigns can be scoped to users in a realm. 

Realm Assignment Policies are defined based on Profile source (such as specific Identity Provider designated as a profile source) and User Profile attributes. However, some customers have the need to assign users to realms based on data that is either partially or wholly not stored in Universal Directory. In these cases, Okta Workflows - a no-code orchestration and automation platform for identity processes - can be used to manage the realm assignment for users. Workflows can be triggered based on an Okta event (such as User Creation or User Update) or as a webhook from an external system. 

The Realm Assignment workflow is simple to create by leveraging the Okta and Okta Realms Workflows Connectors. 

Solution

The Flow Chart of a basic implementation is shown below

Consider an example where the “Tier” of a customer is stored in an external application and the target Realms are as shown below.

Okta Workflows can lookup the “Tier” information in the external application using a cloud-accessible API endpoint of the application and the Okta API Connector.

A mapping table in Okta Workflows maps the “Tier” level to the “Realm Name” as shown below.

The helper flow is passed the “Tier” and the “username” parameters and implements the logic shown in the Flow Chart.

The helper flow and mapping table flopack is attached for your reference. In order to configure the flow mapping table data needs to be populated. 

Key design considerations with this approach are to ensure that there are no Realm Assignment policies defined i.e. only workflows are used for realm assignment. If there are no Realm Assignment policies and an Administrator triggers “Run all Realm Assignments”, users will be put into the Default Realm. As always, check the documentation on Okta Workflows system limits, Realms requirements and limitations and applicable API Rate limits.

Conclusion

In summary, Realms are crucial to establish secure user boundaries for partner organizations within Universal Directory, avoiding the need for complex deployment models. In cases where realm assignment is based on user attributes that are not in Universal Directory, Okta Workflows provides a simple way to manage the Realm Assignments with the Okta and Okta Realms Connectors. 

References

• Okta Realms documentation
• Okta Realms Workflows Connector
• Okta Workflows System limits
• Flopack: Posted here

--

​​About the author: Ajay Seetharam, CISSP, drives security solutions that truly transform. As a Principal Solutions Architect in Okta's Office of the Field CTO, Ajay brings deep, hands-on expertise in Cloud IaaS, PaaS, SaaS, Security, and Observability. He's dedicated to the practical implementation of Identity Security Posture Management and Governance, helping organizations build robust defenses. Ajay is renowned for helping enterprises efficiently automate critical security processes with Okta Workflows. Now, he's at the forefront, actively pioneering practical use cases of AI with Okta Workflows to deliver smarter, more proactive security operations.